Hackers expose 453,000 credentials allegedly taken from Yahoo service (Updated)

SQL injection retrieves user names and passwords stored in plaintext.

Hackers posted what appear to be login credentials for more than 453,000 user accounts that they said they retrieved in plaintext from an unidentified service on Yahoo.

The dump, posted on a public website by a hacking collective known as D33Ds Company, said it penetrated the Yahoo subdomain using what's known as a union-based SQL injection. The hacking technique preys on poorly secured Web applications that don't properly scrutinize text entered into search boxes and other user input fields. By injecting powerful database commands into them, attackers can trick back-end servers into dumping huge amounts of sensitive information.

To support their claim, the hackers posted what they said were the plaintext credentials for 453,492 Yahoo accounts, more than 2,700 database table or column names, and 298 MySQL variables, all of which they claim to have obtained in the exploit.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a brief note at the end of the dump stated. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

In a statement published by TechCrunch, Yahoo representatives confirmed a breach that hit the site's Contributor Network (previously Associated Content) on Wednesday. The stolen data was contained in an "older file," and only about 5 percent of the exposed credentials were still valid on Yahoo.

"We are fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised," the statement continued. "We apologize to affected users. We encourage users to change their passwords on a regular basis and also familiarize themselves with our online safety tips at security.yahoo.com."

Because many people use the same credentials for multiple accounts, Ars isn't identifying the address of the website that published the disclosure. But at time of writing, the URL wasn't hard to find.

The TrustedSec blog is reporting that the hacked service may be Yahoo Voices, aka Associated Content. That speculation is based on the string "dbb1.ac.bf1.yahoo.com" included in the dump. The subdomain is associated with the voice service, the post said.

Article updated to reflect TrustedSec now says the compromised property is Yahoo Voices. Later updated to add official comment from Yahoo.

Promoted Comments

At this point I guess we should always assume that every password we give to an online service is stored in plain text, and therefore avoid password reuse at all costs. Companies can't be trusted to give a shit about your personal security, and lawmen and/or politicians are too fucking clueless about technology to understand that storing unencrypted passwords should be considered criminal negligence and dealt as such.

SevenFactors wrote:

Given all the resent hacks, not to mention the massive PlayStation Network incident [hopefully they learned & now are encrypting, hashing & salting] One would think that companies who know are stashing users credentials in plain text would be proactive and not wait till they get hacked to then take action.

Well what to expect, Yahoo got stuck in 1998

PSN passwords were encrypted and salted. There's this common misconception that they were not because the initial disclosure of the attack stupidly used ambiguous terms, which they clarified later.

The problem here was SQL Injection (which, btw Dan, is not caused by failure to scrutinize input but rather by NOT using prepared statements and properly binding the user input. There is a difference).

This statement couldn't be more wrong.

Scrutinizing input (white list and/or blacklists) MIGHT stop SQL injection, but it only works if you happen to get it completely right. This damn hard with UTF and more advanced SQL engines. Proving you are doing this correctly is impossible to do. The best you can do is "Mostly Correct". Don't trust your data to "Mostly Correct".

Property binding completely removes user input from the SQL parser, which fixes the issue with no worries.

With respect to a broad range of Web application vulnerabilities, the statement is technically correct. When it comes to specifically SQL Injection, it is not "the most" correct and comprehensive answer one can give.

Proper input validation (aka white listing) can indeed wipe out large swaths of web application vulnerabilities, including SQL Injection -- but it is not guaranteed. When piping user-supplied input into database commands, an additional and essential layer of defense is to use parameterized SQL statements. So even if the input-validation fails, the web app is still protected, from SQL Injection at least.

The same is true of XSS. When printing user-supplied input to the screen, you need to perform context-aware output encoding. Again, input validation "might" save you, but proper output filtering definitely will.

Speaking for myself, given the sheer number of SQLi issues still in circulation, I'd easily take more of their coding option.

I cannot believe that SQL injection attacks are still successful. Who are these programmers that haven't heard about parameterized queries? I guess they're the same developers who continue to store un-hashed passwords.

This stuff isn't hard, folks. I implemented password storage just recently with unique salts, key stretching and Sha1 hashing just a few months ago; it took about 4 hours to get working.

sha1? really? have you *not heard* of sha-256, sha-512, let alone bcrypt? No need to handle unique salts, key stretching, and hashing. It does all that and does it better.

In other news, formspring was also hacked and passwords exposed, but unlike everyone else, it was using salted sha-256, and afterwards upgraded to hashing to use bcrypt. Where's the article for them, praising them for handling things right?

I wish Yahoo would just go away already as Yahoo couldn't care less concerning security, and their user base, along with the rest of the web that keeps getting spam from compromised Yahoo accounts, suffers for it.

My work is in the computer repair field. There is a never ending stream of customers at my shop wondering why/how their Yahoo email address is sending spam. It's not uncommon for all of the victims emails and contacts to have been deleted by the perpetrators. My moms Yahoo account has been compromised twice in the last year alone.

Judging from my experience with almost all compromised email accounts being hosted by Yahoo, I hold them 100% to blame.

"We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat," a brief note at the end of the dump stated. "There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

Yeah it's "hacking" but at the same time - this is no different than walking by a business and pointing out to them that they left the backdoor open along with the door to the safe.

Quote:

Ars isn't identifying the address of the website that published the disclosure. But at time of writing, the URL wasn't hard to find.....

.....That speculation is based on the string "dbb1.ac.bf1.yahoo.com" included in the dump. The subdomain is associated with the voice service, the post said.

This is one of the most stupid things I've seen ARS post in a long while. You might as well post the damne link after saying all of this. Or modify the ending of this article. Retarded. (yes - I'm aware that the posted URL and the one being referred to are differnt)

Given all the resent hacks, not to mention the massive PlayStation Network incident [hopefully they learned & now are encrypting, hashing & salting] One would think that companies who know are stashing users credentials in plain text would be proactive and not wait till they get hacked to then take action.

Given all the resent hacks, not to mention the massive PlayStation Network incident [hopefully they learned & now are encrypting, hashing & salting] Once would think that companies who know are stashing users credentials in plain text would be proactive and not wait till they get hacked to then take action.

Well that to expect, Yahoo got stuck in 1998

That PSN hack was a doozy. I'm fairly confident that it was directly related to the following rash of fraudulent donations to unwitting yet legitimate charities. After speaking to the two charities that ended up with the card number I used on PSN, I found out that they get fraudulent donation all the time. Mad, mad world.

At this point I guess we should always assume that every password we give to an online service is stored in plain text, and therefore avoid password reuse at all costs. Companies can't be trusted to give a shit about your personal security, and lawmen and/or politicians are too fucking clueless about technology to understand that storing unencrypted passwords should be considered criminal negligence and dealt as such.

SevenFactors wrote:

Given all the resent hacks, not to mention the massive PlayStation Network incident [hopefully they learned & now are encrypting, hashing & salting] One would think that companies who know are stashing users credentials in plain text would be proactive and not wait till they get hacked to then take action.

Well what to expect, Yahoo got stuck in 1998

PSN passwords were encrypted and salted. There's this common misconception that they were not because the initial disclosure of the attack stupidly used ambiguous terms, which they clarified later.

I should look at that list and see if I can't find my old Yahoo password. I was trying to get into my Yahoo account (from a decade ago) the other day to play online cribbage with my friend and I couldn't remember my password and the recovery e-mail account I used is long gone.

Given all the resent hacks, not to mention the massive PlayStation Network incident [hopefully they learned & now are encrypting, hashing & salting] Once would think that companies who know are stashing users credentials in plain text would be proactive and not wait till they get hacked to then take action.

Well that to expect, Yahoo got stuck in 1998

That PSN hack was a doozy. I'm fairly confident that it was directly related to the following rash of fraudulent donations to unwitting yet legitimate charities. After speaking to the two charities that ended up with the card number I used on PSN, I found out that they get fraudulent donation all the time. Mad, mad world.

Do some Wrong here and balance it with some Right over here; Mafia style. Interesting.

Can we puh-LEEZE start fining websites that store passwords in plaintext or unsalted for basic, obvious negligence?

Not hashing passwords to a sufficient strength hasn't been the caused a single data breach - all it does is provide an added hoop IF the data has already leaked. The problem here was SQL Injection (which, btw Dan, is not caused by failure to scrutinize input but rather by NOT using prepared statements and properly binding the user input. There is a difference). That isn't to say that these companies shouldn't be using a stronger hashing scheme, but lets be clear - hashing is NOT the problem here.

Thomas Ptecek has obviously never worked on a successful commercial website. Any developer worth anything would know that you NEVER intentionally consume server resources, as that is an obvious denial of service enabler (and if you are hosted on a cloud provider like AWS or Azure you are intentionally costing your company money). It is ludicrous to intentionally enable DoS for a secondary protection when the real issues here are SQL Injection or some other data leakage flaw. On top of that, look at the password list - just because bcrypt is slow doesn't mean it will be any barrier for finding all of the people who have used some variant of "Password". Having a mechanism to blacklist common passwords and variants of common passwords would be more useful. If people want to be really paranoid they can encrypt the hashes with a key stored on the file system or create an HMAC with a filesystem stored salt so the attacker also has to break the encryption key/salt - SHA + AES takes up significantly fewer clock cycles than bcrypt and ultimately would be a greater barrier with common passwords.

I wish Yahoo would just go away already as Yahoo couldn't care less concerning security, and their user base, along with the rest of the web that keeps getting spam from compromised Yahoo accounts, suffers for it.

My work is in the computer repair field. There is a never ending stream of customers at my shop wondering why/how their Yahoo email address is sending spam. It's not uncommon for all of the victims emails and contacts to have been deleted by the perpetrators. My moms Yahoo account has been compromised twice in the last year alone.

Judging from my experience with almost all compromised email accounts being hosted by Yahoo, I hold them 100% to blame.

I'd hate to break it to you, but your mom is an idiot. I am a heavy Yahoo mail user and while I wish all their traffic was https, the login at least is. As for her account being compromised, that as more with er using the same password everywhere and/or her downloading trojans, or using IE.

I've been a yahoo user for 20 years and not one break-in.

However if you'd like to suggest a mail service with proper folder capability (not Gmail), I'd b willing to switch.

If they really wanted to help, they would have emailed Yahoo privately, showed them the info, told them the subdomain, gave them detailed info on how they hacked it, and a window of opportunity (like 90 days) to fix the holes before going public with it and getting egg on Yahoo's face.

The way they handled it here, they just sound like a bunch of self-righteous assholes trying to get a pat on the back for being self-righteous assholes.

"Oh, we found a way to get around being shunned, dirty little hackers... we'll just say it's a "warning" not a "threat" ... we're doing the public a service by posting all this info...yeah!"

Really? Next you'll be posting copyrighted material on youtube, but disclaiming by saying "this is for educational material only".

I don't mind hackers. And I don't mind egotistical hackers. But the ones that are constantly self-congratulatory for being jerks really get annoying.

Suppose you salt and hash passwords, but someone gets a dump of your user/password database. You can count on someone using the stupidest possible password allowed by the password-generation rules of the service (probably either password, Password1, or Pasword1!), since you know, with high-probability that password appears somewhere in the dump, to recover the hashed passwords, you should be able to just try various hashes/salts until you start matching the hash for whatever string you've chosen to look for. Of course, I'm no expert on cryptography, so I don't know how computationally difficult that is, but it seems to me that you could, at the very least, do much better than brute force and at worst, provide only the very basic marginal security over un-salted hashes.

In other news, formspring was also hacked and passwords exposed, but unlike everyone else, it was using salted sha-256, and afterwards upgraded to hashing to use bcrypt. Where's the article for them, praising them for handling things right?

Once a company is hacked, let's be honest. The complexity of the password hashing is little defense.

I'm not saying "so don't even worry about it" but I am saying that we shouldn't praise anyone who's been hacked. Because the #1 important thing they can do with your data is keep it safe. And using a strong algorithm is a good step, but it's also like parachutes on the airplane.

That airline is awesome because when their jumbojet flew apart at 5,000 feet they had a parachute for me!

Except in this case, password hashing with a good algorithm just makes the bad guys expend more computing power of getting passwords. And they're still going to get most of them pretty fast.

Maybe KeePass user has a password too complex for them to spend the time on it. Hooray for the 1% of users who did it right. But by no means hooray for the company that lost the data in the first place.

My old AC account was on the list. My gmail was there, but that password is so outdated that it's not a danger to any of my other accounts. Thanks to the multiple people who put up ways to check the list, gave me a chance to make sure whether I was safe or not.

I wish Yahoo would just go away already as Yahoo couldn't care less concerning security, and their user base, along with the rest of the web that keeps getting spam from compromised Yahoo accounts, suffers for it.

My work is in the computer repair field. There is a never ending stream of customers at my shop wondering why/how their Yahoo email address is sending spam. It's not uncommon for all of the victims emails and contacts to have been deleted by the perpetrators. My moms Yahoo account has been compromised twice in the last year alone.

Judging from my experience with almost all compromised email accounts being hosted by Yahoo, I hold them 100% to blame.

I'd hate to break it to you, but your mom is an idiot. I am a heavy Yahoo mail user and while I wish all their traffic was https, the login at least is. As for her account being compromised, that as more with er using the same password everywhere and/or her downloading trojans, or using IE.

I've been a yahoo user for 20 years and not one break-in.

However if you'd like to suggest a mail service with proper folder capability (not Gmail), I'd b willing to switch.

If you had paid attention to my post, you would have noticed I made it pretty clear this seems to be a trend with Yahoo accounts. I very rarely see compromised accounts with providers OTHER THAN Yahoo, and I doubt only Yahoo users use universal passwords/poor password security...... Get it? As far as browsers go, I HATE IE. But I see compromised accounts with users that do not use IE.

I doubt it has anything to do with malware in these cases. I do the maintenance on her machine myself and have yet to find anything malware-related. A friend of mine recently had her account compromised, and her PC is another one I do PM on. The last time malware was found on her machine was over two years ago, and was solved with a reformat/reinstall of the OS.

It's common knowledge Yahoo suffers from poor security and massive amounts of compromised email addresses, and that it has been this way for quite a while.

Oh and Yahoo is only 18 years old, so how could you have been with them for 20 years? Who's the idiot?

@Major General Thanatos:Here's the thing though -- what if you check the list and verify that your account isn't on the list? Do you do nothing? If the claim that Yahoo is riddled with security holes is true, then your account not being in the dump doesn't guarantee that it hasn't been compromised, it just means that it hasn't been compromised quite so publicly. I suspect that any accounts compromised by not-so-public breaches are likely to be abused in more subtle ways than the public ones.

And for all those who might rush to change their password at Yahoo -- what good are they accomplishing if the security vulnerabilities haven't been fixed?

Since Yahoo's not really saying anything- this breach was with a company they bought a couple of years ago called Associated Content, they renamed the service to Yahoo Voices. If you're never used either of those services your login won't be on the list.

I implemented password storage just recently with unique salts, key stretching and Sha1 hashing just a few months ago; it took about 4 hours to get working.

Mine took about five minutes (had to write a script to update the DB since I started out lazy), and it's built on bcrypt so it's work-scalable, locally parameterized, and standard, while also not requiring me to be the smart one.

It's common knowledge Yahoo suffers from poor security and massive amounts of compromised email addresses, and that it has been this way for quite a while.

If it's common knowledge, I'm sure you'll have no trouble citing something credible to back it up. I've seen no evidence that Yahoo Mail is any less secure than, say, Hotmail.

Quote:

Oh and Yahoo is only 18 years old, so how could you have been with them for 20 years? Who's the idiot?

Yes, it's quite a crime to not record your exact account creation date on a calendar and then look it up before posting. You're seriously going to call someone an idiot for that?

Only those that come off as douche bags for needlessly calling other people's mothers idiots.

I'm not going to waste time looking up evidence for someone that still can't grasp what I've said. I'll try to keep it simple for you:When a customer calls or stops by the shop because everyone in their address book is receiving spam Viagra emails from said customer, the email accounts are ALMOST, IF NOT ALWAYS, Yahoo hosted email accounts. Where I work, it is common knowledge. We get the calls and walk-ins from people this happens to.

this is the best comment thread evar. trolls, security advice, in depth analysis of password composition, at least two people here built search tools for this list... only on Ars.

Also, i'm going to send cease and desist emails and demand compensation to everyone on this list who are using my first name as their email password.

....... and how´s that working for you so far, Torben-Ephraim.......?

=]

Its working out great. I have dozens of copyright violation notices going out as we speak, demanding $250,000 settlements. If they don't settle, I'll bury them in lawsuits until they have to smash store windows for soda and twinkies just to survive. This is Amurica. I'm just glad yahoo was visited by these fine young people or I would have never known that my name was so heinously being violated and in such dire need of defense from these filthy yahoo-using animals.